Report Name: Linux Patch Wednesday February 2026
Generated: 2026-02-20 00:13:45

Product Name	Prevalence	U	C	H	M	L	A	Comment
pip	0.95			1			1	pip is the standard package installer for Python, used to install and manage software packages from the Python Package Index (PyPI) and other repositories.
AMD Processor	0.9				1		1	Processor
AMD SEV-SNP	0.9				1		1	AMD SEV-SNP capable CPUs are processors designed with Secure Encrypted Virtualization – Secure Nested Paging (SEV-SNP) technology, which protects virtual machine memory from unauthorized access by encrypting guest memory and providing integrity protection. These CPUs are commonly used in cloud, server, and high-security environments.
Django	0.9			1	5		6	Django is a high-level Python web framework that encourages rapid development and clean, pragmatic design. It provides built-in tools for database models, authentication, URL routing, templates, and security features, making it one of the most widely used frameworks for building scalable and maintainable web applications.
Intel(R) Processor	0.9				1		1	Intel's processors from the pioneering 4-bit 4004 (1971) to the present high-end offerings
Linux Kernel	0.9				114	191	305	The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
Rust	0.9			1	2		3	Rust is a modern, high-performance systems programming language focused on safety, concurrency, and memory management.
Grafana	0.85		1	1	1		3	Grafana is an open-source analytics and monitoring platform that provides dashboards and visualization tools for metrics collected from various data sources.
Chromium	0.8	1		2	11		14	Chromium is a free and open-source web browser project, mainly developed and maintained by Google
GLPI	0.8			1	1		2	GLPI is an open source IT Asset Management, issue tracking system and service desk system
GNOME desktop	0.8				2		2	GNOME originally an acronym for GNU Network Object Model Environment, is a free and open-source desktop environment for Linux and other Unix-like operating systems
Juniper JunOS	0.8			1			1	Junos OS is a FreeBSD-based network operating system used in Juniper Networks routing, switching and security devices
Mozilla Firefox	0.8				2		2	Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation
Node.js	0.8			1			1	Node.js is a cross-platform, open-source server environment that can run on Windows, Linux, Unix, macOS, and more
OpenSSL	0.8		2	10	1		13	A software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end
Zabbix	0.8				1		1	Zabbix is an open-source software tool to monitor IT infrastructure such as networks, servers, virtual machines, and cloud services
libvpx	0.8				2		2	libvpx is a free software video codec library from Google and the Alliance for Open Media (AOMedia)
Apache Tomcat	0.7				3		3	Apache Tomcat is a free and open-source implementation of the Jakarta Servlet, Jakarta Expression Language, and WebSocket technologies
Asterisk	0.7			1	3		4	Asterisk is a free and open source framework for building communications applications and is sponsored by Sangoma
BIND	0.7				1		1	BIND is a suite of software for interacting with the Domain Name System
Calibre	0.7		1	2			3	Calibre is a cross-platform free and open-source suite of e-book software
Moodle	0.7			3	1	2	6	Moodle is a free and open-source learning management system written in PHP and distributed under the GNU General Public License
Oracle MySQL	0.7				6		6	MySQL is an open-source relational database management system
Oracle VM VirtualBox	0.7		1		12		13	Oracle VM VirtualBox is a hosted hypervisor for x86 virtualization developed by Oracle Corporation
PHPUnit	0.7			1			1	PHPUnit is a widely used open-source unit testing framework for PHP, providing tools for writing and running automated tests, including support for code coverage analysis and PHPT test execution.
QEMU	0.7				1		1	QEMU is a generic and open source machine & userspace emulator and virtualizer
qs	0.7				1		1	qs is a popular JavaScript library for parsing and serializing URL query strings. It supports nested objects, arrays, custom parsing options, and is widely used in Node.js frameworks and middleware to handle HTTP query parameters and form-encoded data.
ClamAV	0.6			1			1	ClamAV (Clam AntiVirus) is a free software, cross-platform antimalware toolkit able to detect many types of malware, including viruses
FreeRDP	0.6				12	1	13	FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license
Libsoup	0.6			1	1	3	5	libsoup is an HTTP client/server library for GNOME. It uses GObjects and the glib main loop to integrate well with GNOME applications and also has a synchronous API for use in CLI tools.
MongoDB	0.6	1			1	3	5	MongoDB is a source-available, cross-platform, document-oriented database program
Nextcloud	0.6				3	4	7	Nextcloud server is a self hosted personal cloud system
Oracle Java SE	0.6				1		1	Oracle Java SE
Perl	0.6				2		2	Perl is a family of two high-level, general-purpose, interpreted, dynamic programming languages
PostgreSQL	0.6			3		1	4	PostgreSQL also known as Postgres, is a free and open-source relational database management system emphasizing extensibility and SQL compliance.
Proxmox Virtual Environment	0.6			1			1	Proxmox Virtual Environment (Proxmox VE) is an open-source server management platform for enterprise virtualization, enabling management of KVM virtual machines and LXC containers via a web interface and REST API.
PyTorch	0.6		1				1	PyTorch is a machine learning library based on the Torch library, used for applications such as computer vision and natural language processing, originally developed by Meta AI and now part of the Linux Foundation umbrella
Python	0.6			1	2		3	Python is a high-level, general-purpose programming language
Roundcube	0.6			1		1	2	Roundcube is a web-based IMAP email client
ajv	0.6			1			1	ajv (Another JSON Schema Validator) is a high-performance JavaScript library for validating JSON data against JSON Schema specifications, widely used in Node.js applications and APIs.
axios	0.6			1			1	axios is a promise based HTTP client for the browser and node.js
libxml2	0.6				1		1	libxml2 is an XML toolkit implemented in C, originally developed for the GNOME Project
pgAdmin	0.6		2				2	pgAdmin is the most popular and feature rich Open Source administration and development platform for PostgreSQL, the most advanced Open Source database in the world
.NET	0.5				1		1	Product detected by a:microsoft:.net (exists in CPE dict)
Barbican	0.5				1		1	Product detected by a:openstack:barbican (exists in CPE dict)
Bitcoin Core	0.5				2		2	Product detected by a:bitcoin:bitcoin_core (exists in CPE dict)
Cacti	0.5			1			1	Cacti is an open source operational monitoring and fault management framework
DTLS	0.5				1		1	Product detected by a:pion:dtls (exists in CPE dict)
GIMP	0.5				1		1	GIMP is an open-source image manipulation program used for photo editing, graphic design, and digital art creation.
Go	0.5				1		1	Product detected by a:golang:go (exists in CPE dict)
Go-tuf	0.5				2		2	Product detected by a:theupdateframework:go-tuf (exists in CPE dict)
Icinga	0.5				1		1	Icinga is an open-source IT monitoring application that checks network resources, generates performance data, and notifies users of outages.
Opensearch	0.5			1			1	Product detected by a:amazon:opensearch (exists in CPE dict)
Pillow	0.5				1		1	Pillow is a Python imaging library that adds image processing capabilities to Python, supporting formats such as PNG, JPEG, GIF, TIFF, and BMP.
Pypdf	0.5			1			1	PyPDF is a Python library for reading, manipulating, and writing PDF files, including extraction, splitting, merging, and encryption features.
Radare2	0.5				3		3	Radare2 is an open-source reverse engineering framework that includes tools for binary analysis, disassembly, debugging, and forensics.
Shaarli	0.5			1			1	Product detected by a:shaarli_project:shaarli (exists in CPE dict)
Shiro	0.5				1	1	2	Product detected by a:apache:shiro (exists in CPE dict)
Suricata	0.5				5	2	7	Suricata is an open-source intrusion detection and prevention system (IDS/IPS) and network security monitoring engine that supports deep packet inspection and threat detection.
TLS	0.5				1		1	TLS
Thunderbird	0.5					1	1	Product detected by a:mozilla:thunderbird (exists in CPE dict)
Traefik	0.5				1		1	Product detected by a:traefik:traefik (exists in CPE dict)
Wheel	0.5			1			1	Product detected by a:wheel_project:wheel (exists in CPE dict)
Xpdfreader	0.5				1		1	Product detected by a:glyphandcog:xpdfreader (exists in CPE dict)
Xrdp	0.5			1			1	xrdp is an open source remote desktop protocol server
avahi	0.5					1	1	Product detected by a:avahi:avahi (exists in CPE dict)
docopt.cpp	0.5			1			1	Product detected by a:docopt:docopt.cpp (does NOT exist in CPE dict)
geopandas	0.5			1			1	Product detected by a:geopandas:geopandas (does NOT exist in CPE dict)
gitea	0.5				9	1	10	Product detected by a:gitea:gitea (exists in CPE dict)
gnupg	0.5			1			1	Product detected by a:gnupg:gnupg (exists in CPE dict)
html	0.5			1	1		2	Product detected by a:go:html (does NOT exist in CPE dict)
incus	0.5			2			2	Product detected by a:linuxcontainers:incus (does NOT exist in CPE dict)
jsonpath	0.5			1			1	Product detected by a:dchester:jsonpath (does NOT exist in CPE dict)
libexpat	0.5					1	1	Product detected by a:libexpat_project:libexpat (exists in CPE dict)
libpng	0.5			2			2	Product detected by a:libpng:libpng (exists in CPE dict)
lodash	0.5					1	1	Product detected by a:lodash:lodash (exists in CPE dict)
m\\/monit	0.5			2			2	Product detected by a:tildeslash:m\\/monit (does NOT exist in CPE dict)
micropython	0.5			1			1	Product detected by a:micropython:micropython (does NOT exist in CPE dict)
moodle	0.5				3	1	4	Product detected by a:moodle:moodle (exists in CPE dict)
navidrome	0.5			2			2	Product detected by a:navidrome:navidrome (exists in CPE dict)
nginx_gateway_fabric	0.5				1		1	Product detected by a:f5:nginx_gateway_fabric (does NOT exist in CPE dict)
openbao	0.5				1		1	Product detected by a:openbao:openbao (does NOT exist in CPE dict)
openvpn	0.5				1		1	Product detected by a:openvpn:openvpn (exists in CPE dict)
python-multipart	0.5			1			1	Product detected by a:fastapiexpert:python-multipart (does NOT exist in CPE dict)
rekor	0.5				2		2	Product detected by a:linuxfoundation:rekor (exists in CPE dict)
sentry	0.5				1	1	2	Product detected by a:sentry:sentry (exists in CPE dict)
tlslite-ng	0.5		1				1	Product detected by a:tlslite-ng_project:tlslite-ng (exists in CPE dict)
webpack	0.5			2			2	Product detected by a:webpack.js:webpack (exists in CPE dict)
xen	0.5				1	1	2	Product detected by o:xen:xen (exists in CPE dict)
DiskCache	0.4		1				1	DiskCache (python-diskcache) is a pure-Python caching library that provides a disk-backed, persistent, and performant key-value store, commonly used as a lightweight caching solution for Python applications.
Git	0.4				1		1	Git
Keras	0.4				1		1	High-level neural networks API, running on top of TensorFlow, allowing model building and training
Unknown Product	0				26	77	103	Unknown Product

Vulnerability Type	Criticality	U	C	H	M	L	A
Remote Code Execution	1.0	1	7	12	11		31
Authentication Bypass	0.98		1	2	25		28
Code Injection	0.97			4	3		7
Command Injection	0.97			1	4		5
XXE Injection	0.97			1	1		2
Security Feature Bypass	0.9		1	3	18	1	23
Server-Side Request Forgery	0.87			2	3		5
Elevation of Privilege	0.85		1	2	3		6
Arbitrary File Reading	0.83			1			1
Information Disclosure	0.83	1		1	3		5
Cross Site Scripting	0.8			3	6		9
Denial of Service	0.7			17	44	8	69
Path Traversal	0.7			4	1	2	7
Incorrect Calculation	0.5			1	1	4	6
Memory Corruption	0.5			5	129	13	147
Spoofing	0.4				5		5
Unknown Vulnerability Type	0				10	266	276

Source	U	C	H	M	L	A
almalinux		2	13	7	3	25
altlinux	1	3	13	65	23	105
debian	1	5	48	183	213	450
oraclelinux		2	14	8	4	28
redhat		2	10	1	1	14
redos	1	2	3	9	11	26
ubuntu		2	14	46	73	135

Urgent (2)

1. Remote Code Execution - Chromium (CVE-2026-2441) - Urgent [919]

Description: Use after free in CSS in Google Chrome prior to 145.0.7632.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

debian: CVE-2026-2441 was patched at 2026-02-14, 2026-02-18

2. Information Disclosure - MongoDB (CVE-2025-14847) - Urgent [879]

Description: Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0.

altlinux: CVE-2025-14847 was patched at 2026-02-12, 2026-02-13, 2026-02-16, 2026-02-17

redos: CVE-2025-14847 was patched at 2026-02-09

Critical (10)

3. Remote Code Execution - OpenSSL (CVE-2025-15467) - Critical [728]

Description: Issue summary: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

almalinux: CVE-2025-15467 was patched at 2026-01-28

debian: CVE-2025-15467 was patched at 2026-01-27, 2026-02-18

oraclelinux: CVE-2025-15467 was patched at 2026-01-28, 2026-01-29, 2026-01-30

redhat: CVE-2025-15467 was patched at 2026-01-28, 2026-01-29, 2026-02-02

ubuntu: CVE-2025-15467 was patched at 2026-01-27

4. Remote Code Execution - Calibre (CVE-2026-25635) - Critical [652]

Description: calibre is an e-book manager. Prior to 9.2.0, Calibre's CHM reader contains a path traversal vulnerability that allows arbitrary file writes anywhere the user has write permissions. On Windows (haven't tested on other OS's), this can lead to Remote Code Execution by writing a payload to the Startup folder, which executes on next login. This vulnerability is fixed in 9.2.0.

debian: CVE-2026-25635 was patched at 2026-02-18

5. Remote Code Execution - pgAdmin (CVE-2025-12762) - Critical [635]

Description: pgAdmin versions up to 9.9 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. This issue allows attackers to inject and execute arbitrary commands on the server hosting pgAdmin, posing a critical risk to the integrity and security of the database management system and underlying data.

redos: CVE-2025-12762 was patched at 2026-01-26

6. Remote Code Execution - pgAdmin (CVE-2025-13780) - Critical [635]

Description: pgAdmin versions up to 9.10 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. This issue allows attackers to inject and execute arbitrary commands on the server hosting pgAdmin, posing a critical risk to the integrity and security of the database management system and underlying data.

redos: CVE-2025-13780 was patched at 2026-02-16

7. Remote Code Execution - OpenSSL (CVE-2025-69421) - Critical [633]

Description: Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function. Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files. The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. Exploiting this issue requires an attacker to provide a malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

almalinux: CVE-2025-69421 was patched at 2026-01-28

debian: CVE-2025-69421 was patched at 2026-01-27, 2026-02-18

oraclelinux: CVE-2025-69421 was patched at 2026-01-28, 2026-01-29, 2026-01-30

redhat: CVE-2025-69421 was patched at 2026-01-28

ubuntu: CVE-2025-69421 was patched at 2026-01-27

8. Elevation of Privilege - Grafana (CVE-2025-41115) - Critical [626]

Description: SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management. In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM client to provision a user with a numeric externalId, which in turn could allow to override internal user IDs and lead to impersonation or privilege escalation. This vulnerability applies only if all of the following conditions are met: - `enableSCIM` feature flag set to true - `user_sync_enabled` config option in the `[auth.scim]` block set to true

altlinux: CVE-2025-41115 was patched at 2026-02-10

9. Remote Code Execution - DiskCache (CVE-2025-69872) - Critical [602]

Description: DiskCache (python-diskcache) through 5.6.3 uses Python pickle for serialization by default. An attacker with write access to the cache directory can achieve arbitrary code execution when a victim application reads from the cache.

debian: CVE-2025-69872 was patched at 2026-02-18

10. Authentication Bypass - Oracle VM VirtualBox (CVE-2026-21957) - Critical [601]

Description: Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).

altlinux: CVE-2026-21957 was patched at 2026-02-09

11. Security Feature Bypass - tlslite-ng (CVE-2020-26263) - Critical [601]

Description: tlslite-ng is an open source python library that implements SSL and TLS cryptographic protocols. In tlslite-ng before versions 0.7.6 and 0.8.0-alpha39, the code that performs decryption and padding check in RSA PKCS#1 v1.5 decryption is data dependant. In particular, the code has multiple ways in which it leaks information about the decrypted ciphertext. It aborts as soon as the plaintext doesn't start with 0x00, 0x02. All TLS servers that enable RSA key exchange as well as applications that use the RSA decryption API directly are vulnerable. This is patched in versions 0.7.6 and 0.8.0-alpha39. Note: the patches depend on Python processing the individual bytes in side-channel free manner, this is known to not the case (see reference). As such, users that require side-channel resistance are recommended to use different TLS implementations, as stated in the security policy of tlslite-ng.

altlinux: CVE-2020-26263 was patched at 2026-02-09

12. Remote Code Execution - PyTorch (CVE-2026-24747) - Critical [600]

Description: PyTorch is a Python package that provides tensor computation. Prior to version 2.10.0, a vulnerability in PyTorch's `weights_only` unpickler allows an attacker to craft a malicious checkpoint file (`.pth`) that, when loaded with `torch.load(..., weights_only=True)`, can corrupt memory and potentially lead to arbitrary code execution. Version 2.10.0 fixes the issue.

debian: CVE-2026-24747 was patched at 2026-02-18

High (59)

13. Arbitrary File Reading - Proxmox Virtual Environment (CVE-2024-21545) - High [593]

Description: Proxmox Virtual Environment is an open-source server management platform for enterprise virtualization. Insufficient safeguards against malicious API response values allow authenticated attackers with 'Sys.Audit' or 'VM.Monitor' privileges to download arbitrary host files via the API. When handling the result from a request handler before returning it to the user, the handle_api2_request function will check for the ‘download’ or ‘data’->’download’ objects inside the request handler call response object. If present, handle_api2_request will read a local file defined by this object and return it to the user. Two endpoints were identified which can control the object returned by a request handler sufficiently that the ’download’ object is defined and user controlled. This results in arbitrary file read. The privileges of this file read can result in full compromise of the system by various impacts such as disclosing sensitive files allowing for privileged session forgery.

altlinux: CVE-2024-21545 was patched at 2026-01-28, 2026-02-06

14. Remote Code Execution - Calibre (CVE-2026-25731) - High [592]

Description: calibre is an e-book manager. Prior to 9.2.0, a Server-Side Template Injection (SSTI) vulnerability in Calibre's Templite templating engine allows arbitrary code execution when a user converts an ebook using a malicious custom template file via the --template-html or --template-html-index command-line options. This vulnerability is fixed in 9.2.0.

debian: CVE-2026-25731 was patched at 2026-02-18

15. Remote Code Execution - Moodle (CVE-2021-47857) - High [592]

Description: Moodle 3.10.3 contains a persistent cross-site scripting vulnerability in the calendar event subtitle field that allows attackers to inject malicious scripts. Attackers can craft a calendar event with malicious JavaScript in the subtitle track label to execute arbitrary code when users view the event.

redos: CVE-2021-47857 was patched at 2026-02-09

16. Elevation of Privilege - Grafana (CVE-2026-21721) - High [591]

Description: The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege escalation.

altlinux: CVE-2026-21721 was patched at 2026-02-10

17. Security Feature Bypass - Chromium (CVE-2026-1504) - High [591]

Description: Inappropriate implementation in Background Fetch API in Google Chrome prior to 144.0.7559.110 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

debian: CVE-2026-1504 was patched at 2026-01-30, 2026-02-18

18. Remote Code Execution - OpenSSL (CVE-2025-11187) - High [585]

Description: Issue summary: PBMAC1 parameters in PKCS#12 files are missing validation which can trigger a stack-based buffer overflow, invalid pointer or NULL pointer dereference during MAC verification. Impact summary: The stack buffer overflow or NULL pointer dereference may cause a crash leading to Denial of Service for an application that parses untrusted PKCS#12 files. The buffer overflow may also potentially enable code execution depending on platform mitigations. When verifying a PKCS#12 file that uses PBMAC1 for the MAC, the PBKDF2 salt and keylength parameters from the file are used without validation. If the value of keylength exceeds the size of the fixed stack buffer used for the derived key (64 bytes), the key derivation will overflow the buffer. The overflow length is attacker-controlled. Also, if the salt parameter is not an OCTET STRING type this can lead to invalid or NULL pointer dereference. Exploiting this issue requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For this reason the issue was assessed as Moderate severity. The FIPS modules in 3.6, 3.5 and 3.4 are not affected by this issue, as PKCS#12 processing is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5 and 3.4 are vulnerable to this issue. OpenSSL 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue as they do not support PBMAC1 in PKCS#12.

almalinux: CVE-2025-11187 was patched at 2026-01-28

debian: CVE-2025-11187 was patched at 2026-02-18

oraclelinux: CVE-2025-11187 was patched at 2026-01-28, 2026-01-29, 2026-01-30

redhat: CVE-2025-11187 was patched at 2026-01-28

ubuntu: CVE-2025-11187 was patched at 2026-01-27

19. Authentication Bypass - m\\/monit (CVE-2020-36968) - High [579]

Description: M/Monit 3.7.4 contains an authentication vulnerability that allows authenticated attackers to retrieve user password hashes through an administrative API endpoint. Attackers can send requests to the /api/1/admin/users/list and /api/1/admin/users/get endpoints to extract MD5 password hashes for all users.

debian: CVE-2020-36968 was patched at 2026-02-18

20. Denial of Service - OpenSSL (CVE-2025-69420) - High [579]

Description: Issue summary: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file. Impact summary: An application calling TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type. When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed TimeStamp Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161) is not widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.

almalinux: CVE-2025-69420 was patched at 2026-01-28

debian: CVE-2025-69420 was patched at 2026-01-27, 2026-02-18

oraclelinux: CVE-2025-69420 was patched at 2026-01-28, 2026-01-29, 2026-01-30

redhat: CVE-2025-69420 was patched at 2026-01-28

ubuntu: CVE-2025-69420 was patched at 2026-01-27

21. Elevation of Privilege - m\\/monit (CVE-2020-36969) - High [568]

Description: M/Monit 3.7.4 contains a privilege escalation vulnerability that allows authenticated users to modify user permissions by manipulating the admin parameter. Attackers can send a POST request to the /api/1/admin/users/update endpoint with a crafted payload to grant administrative access to a standard user account.

debian: CVE-2020-36969 was patched at 2026-02-18

22. Denial of Service - Node.js (CVE-2026-25547) - High [567]

Description: @isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1.

debian: CVE-2026-25547 was patched at 2026-02-18

23. Denial of Service - OpenSSL (CVE-2025-69419) - High [567]

Description: Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer. The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.

almalinux: CVE-2025-69419 was patched at 2026-01-28

debian: CVE-2025-69419 was patched at 2026-01-27, 2026-02-18

oraclelinux: CVE-2025-69419 was patched at 2026-01-28, 2026-01-29, 2026-01-30

redhat: CVE-2025-69419 was patched at 2026-01-28, 2026-01-29, 2026-02-02

ubuntu: CVE-2025-69419 was patched at 2026-01-27

24. Security Feature Bypass - OpenSSL (CVE-2025-15469) - High [567]

Description: Issue summary: The 'openssl dgst' command-line tool silently truncates input data to 16MB when using one-shot signing algorithms and reports success instead of an error. Impact summary: A user signing or verifying files larger than 16MB with one-shot algorithms (such as Ed25519, Ed448, or ML-DSA) may believe the entire file is authenticated while trailing data beyond 16MB remains unauthenticated. When the 'openssl dgst' command is used with algorithms that only support one-shot signing (Ed25519, Ed448, ML-DSA-44, ML-DSA-65, ML-DSA-87), the input is buffered with a 16MB limit. If the input exceeds this limit, the tool silently truncates to the first 16MB and continues without signaling an error, contrary to what the documentation states. This creates an integrity gap where trailing bytes can be modified without detection if both signing and verification are performed using the same affected codepath. The issue affects only the command-line tool behavior. Verifiers that process the full message using library APIs will reject the signature, so the risk primarily affects workflows that both sign and verify with the affected 'openssl dgst' command. Streaming digest algorithms for 'openssl dgst' and library users are unaffected. The FIPS modules in 3.5 and 3.6 are not affected by this issue, as the command-line tools are outside the OpenSSL FIPS module boundary. OpenSSL 3.5 and 3.6 are vulnerable to this issue. OpenSSL 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue.

almalinux: CVE-2025-15469 was patched at 2026-01-28

debian: CVE-2025-15469 was patched at 2026-02-18

oraclelinux: CVE-2025-15469 was patched at 2026-01-28, 2026-01-29, 2026-01-30

redhat: CVE-2025-15469 was patched at 2026-01-28

ubuntu: CVE-2025-15469 was patched at 2026-01-27

25. Code Injection - geopandas (CVE-2025-69662) - High [566]

Description: SQL injection vulnerability in geopandas before v.1.1.2 allows an attacker to obtain sensitive information via the to_postgis()` function being used to write GeoDataFrames to a PostgreSQL database.

debian: CVE-2025-69662 was patched at 2026-02-18

26. Command Injection - incus (CVE-2026-23953) - High [566]

Description: Incus is a system container and virtual machine manager. In versions 6.20.0 and below, a user with the ability to launch a container with a custom YAML configuration (e.g a member of the ‘incus’ group) can create an environment variable containing newlines, which can be used to add additional configuration items in the container’s lxc.conf due to newline injection. This can allow adding arbitrary lifecycle hooks, ultimately resulting in arbitrary command execution on the host. Exploiting this issue on IncusOS requires a slight modification of the payload to change to a different writable directory for the validation step (e.g /tmp). This can be confirmed with a second container with /tmp mounted from the host (A privileged action for validation only). A fix is planned for versions 6.0.6 and 6.21.0, but they have not been released at the time of publication.

debian: CVE-2026-23953 was patched at 2026-01-23, 2026-01-24

27. Memory Corruption - Rust (CVE-2026-25537) - High [560]

Description: jsonwebtoken is a JWT lib in rust. Prior to version 10.3.0, there is a Type Confusion vulnerability in jsonwebtoken, specifically, in its claim validation logic. When a standard claim (such as nbf or exp) is provided with an incorrect JSON type (Like a String instead of a Number), the library’s internal parsing mechanism marks the claim as “FailedToParse”. Crucially, the validation logic treats this “FailedToParse” state identically to “NotPresent”. This means that if a check is enabled (like: validate_nbf = true), but the claim is not explicitly marked as required in required_spec_claims, the library will skip the validation check entirely for the malformed claim, treating it as if it were not there. This allows attackers to bypass critical time-based security restrictions (like “Not Before” checks) and commit potential authentication and authorization bypasses. This issue has been patched in version 10.3.0.

debian: CVE-2026-25537 was patched at 2026-02-18

28. Denial of Service - OpenSSL (CVE-2025-66199) - High [555]

Description: Issue summary: A TLS 1.3 connection using certificate compression can be forced to allocate a large buffer before decompression without checking against the configured certificate size limit. Impact summary: An attacker can cause per-connection memory allocations of up to approximately 22 MiB and extra CPU work, potentially leading to service degradation or resource exhaustion (Denial of Service). In affected configurations, the peer-supplied uncompressed certificate length from a CompressedCertificate message is used to grow a heap buffer prior to decompression. This length is not bounded by the max_cert_list setting, which otherwise constrains certificate message sizes. An attacker can exploit this to cause large per-connection allocations followed by handshake failure. No memory corruption or information disclosure occurs. This issue only affects builds where TLS 1.3 certificate compression is compiled in (i.e., not OPENSSL_NO_COMP_ALG) and at least one compression algorithm (brotli, zlib, or zstd) is available, and where the compression extension is negotiated. Both clients receiving a server CompressedCertificate and servers in mutual TLS scenarios receiving a client CompressedCertificate are affected. Servers that do not request client certificates are not vulnerable to client-initiated attacks. Users can mitigate this issue by setting SSL_OP_NO_RX_CERTIFICATE_COMPRESSION to disable receiving compressed certificates. The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, as the TLS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue. OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.

almalinux: CVE-2025-66199 was patched at 2026-01-28

debian: CVE-2025-66199 was patched at 2026-02-18

oraclelinux: CVE-2025-66199 was patched at 2026-01-28, 2026-01-29, 2026-01-30

redhat: CVE-2025-66199 was patched at 2026-01-28

ubuntu: CVE-2025-66199 was patched at 2026-01-27

29. Memory Corruption - Chromium (CVE-2026-1862) - High [555]

Description: Type Confusion in V8 in Google Chrome prior to 144.0.7559.132 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

debian: CVE-2026-1862 was patched at 2026-02-05, 2026-02-18

30. Path Traversal - Calibre (CVE-2026-25636) - High [551]

Description: calibre is an e-book manager. In 9.1.0 and earlier, a path traversal vulnerability in Calibre's EPUB conversion allows a malicious EPUB file to corrupt arbitrary existing files writable by the Calibre process. During conversion, Calibre resolves CipherReference URI from META-INF/encryption.xml to an absolute filesystem path and opens it in read-write mode, even when it points outside the conversion extraction directory. This vulnerability is fixed in 9.2.0.

debian: CVE-2026-25636 was patched at 2026-02-18

31. Denial of Service - ajv (CVE-2025-69873) - High [546]

Description: ajv (Another JSON Schema Validator) through version 8.17.1 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., "^(a|a)*$") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation.

debian: CVE-2025-69873 was patched at 2026-02-18

32. Denial of Service - OpenSSL (CVE-2025-15468) - High [544]

Description: Issue summary: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server receives an unknown cipher suite from the peer, a NULL dereference occurs. Impact summary: A NULL pointer dereference leads to abnormal termination of the running process causing Denial of Service. Some applications call SSL_CIPHER_find() from the client_hello_cb callback on the cipher ID received from the peer. If this is done with an SSL object implementing the QUIC protocol, NULL pointer dereference will happen if the examined cipher ID is unknown or unsupported. As it is not very common to call this function in applications using the QUIC protocol and the worst outcome is Denial of Service, the issue was assessed as Low severity. The vulnerable code was introduced in the 3.2 version with the addition of the QUIC protocol support. The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, as the QUIC implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue. OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.

almalinux: CVE-2025-15468 was patched at 2026-01-28

debian: CVE-2025-15468 was patched at 2026-02-18

oraclelinux: CVE-2025-15468 was patched at 2026-01-28, 2026-01-29, 2026-01-30

redhat: CVE-2025-15468 was patched at 2026-01-28

ubuntu: CVE-2025-15468 was patched at 2026-01-27

33. Denial of Service - OpenSSL (CVE-2026-22796) - High [544]

Description: Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data. Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

almalinux: CVE-2026-22796 was patched at 2026-01-28

debian: CVE-2026-22796 was patched at 2026-01-27, 2026-02-18

oraclelinux: CVE-2026-22796 was patched at 2026-01-28, 2026-01-29, 2026-01-30

redhat: CVE-2026-22796 was patched at 2026-01-28

ubuntu: CVE-2026-22796 was patched at 2026-01-27

34. Remote Code Execution - Wheel (CVE-2026-24049) - High [535]

Description: wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.

almalinux: CVE-2026-24049 was patched at 2026-02-04, 2026-02-05

altlinux: CVE-2026-24049 was patched at 2026-02-05

debian: CVE-2026-24049 was patched at 2026-01-24

oraclelinux: CVE-2026-24049 was patched at 2026-02-04, 2026-02-05

35. Denial of Service - OpenSSL (CVE-2026-22795) - High [532]

Description: Issue summary: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file. Impact summary: An application processing a malformed PKCS#12 file can be caused to dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service. A type confusion vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid pointer read. The location is constrained to a 1-byte address space, meaning any attempted pointer manipulation can only target addresses between 0x00 and 0xFF. This range corresponds to the zero page, which is unmapped on most modern operating systems and will reliably result in a crash, leading only to a Denial of Service. Exploiting this issue also requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For these reasons, the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.

almalinux: CVE-2026-22795 was patched at 2026-01-28

debian: CVE-2026-22795 was patched at 2026-01-27, 2026-02-18

oraclelinux: CVE-2026-22795 was patched at 2026-01-28, 2026-01-29, 2026-01-30

redhat: CVE-2026-22795 was patched at 2026-01-28

ubuntu: CVE-2026-22795 was patched at 2026-01-27

36. Information Disclosure - OpenSSL (CVE-2025-69418) - High [531]

Description: Issue summary: When using the low-level OCB API directly with AES-NI or<br>other hardware-accelerated code paths, inputs whose length is not a multiple<br>of 16 bytes can leave the final partial block unencrypted and unauthenticated.<br><br>Impact summary: The trailing 1-15 bytes of a message may be exposed in<br>cleartext on encryption and are not covered by the authentication tag,<br>allowing an attacker to read or tamper with those bytes without detection.<br><br>The low-level OCB encrypt and decrypt routines in the hardware-accelerated<br>stream path process full 16-byte blocks but do not advance the input/output<br>pointers. The subsequent tail-handling code then operates on the original<br>base pointers, effectively reprocessing the beginning of the buffer while<br>leaving the actual trailing bytes unprocessed. The authentication checksum<br>also excludes the true tail bytes.<br><br>However, typical OpenSSL consumers using EVP are not affected because the<br>higher-level EVP and provider OCB implementations split inputs so that full<br>blocks and trailing partial blocks are processed in separate calls, avoiding<br>the problematic code path. Additionally, TLS does not use OCB ciphersuites.<br>The vulnerability only affects applications that call the low-level<br>CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with<br>non-block-aligned lengths in a single call on hardware-accelerated builds.<br>For these reasons the issue was assessed as Low severity.<br><br>The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected<br>by this issue, as OCB mode is not a FIPS-approved algorithm.<br><br>OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.<br><br>OpenSSL 1.0.2 is not affected by this issue.

almalinux: CVE-2025-69418 was patched at 2026-01-28

debian: CVE-2025-69418 was patched at 2026-01-27, 2026-02-18

oraclelinux: CVE-2025-69418 was patched at 2026-01-28, 2026-01-29, 2026-01-30

redhat: CVE-2025-69418 was patched at 2026-01-28

ubuntu: CVE-2025-69418 was patched at 2026-01-27

37. Denial of Service - Opensearch (CVE-2025-9624) - High [529]

Description: A vulnerability in OpenSearch allows attackers to cause Denial of Service (DoS) by submitting complex query_string inputs. This issue affects all OpenSearch versions between 3.0.0 and < 3.3.0 and OpenSearch < 2.19.4.

redos: CVE-2025-9624 was patched at 2026-02-16

38. Path Traversal - incus (CVE-2026-23954) - High [529]

Description: Incus is a system container and virtual machine manager. Versions 6.21.0 and below allow a user with the ability to launch a container with a custom image (e.g a member of the ‘incus’ group) to use directory traversal or symbolic links in the templating functionality to achieve host arbitrary file read, and host arbitrary file write. This ultimately results in arbitrary command execution on the host. When using an image with a metadata.yaml containing templates, both the source and target paths are not checked for symbolic links or directory traversal. This can also be exploited in IncusOS. A fix is planned for versions 6.0.6 and 6.21.0, but they have not been released at the time of publication.

debian: CVE-2026-23954 was patched at 2026-01-23, 2026-01-24

39. Denial of Service - axios (CVE-2026-25639) - High [522]

Description: Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in versions 0.30.3 and 1.13.5.

debian: CVE-2026-25639 was patched at 2026-02-18

40. Security Feature Bypass - Roundcube (CVE-2026-25916) - High [522]

Description: Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage.

debian: CVE-2026-25916 was patched at 2026-02-17, 2026-02-18

41. Denial of Service - OpenSSL (CVE-2025-68160) - High [520]

Description: Issue summary: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short writes can trigger a heap-based out-of-bounds write. Impact summary: This out-of-bounds write can cause memory corruption which typically results in a crash, leading to Denial of Service for an application. The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in TLS/SSL data paths. In OpenSSL command-line applications, it is typically only pushed onto stdout/stderr on VMS systems. Third-party applications that explicitly use this filter with a BIO chain that can short-write and that write large, newline-free data influenced by an attacker would be affected. However, the circumstances where this could happen are unlikely to be under attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated data controlled by an attacker. For that reason the issue was assessed as Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the BIO implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

almalinux: CVE-2025-68160 was patched at 2026-01-28

debian: CVE-2025-68160 was patched at 2026-01-27, 2026-02-18

oraclelinux: CVE-2025-68160 was patched at 2026-01-28, 2026-01-29, 2026-01-30

redhat: CVE-2025-68160 was patched at 2026-01-28

ubuntu: CVE-2025-68160 was patched at 2026-01-27

42. Denial of Service - navidrome (CVE-2026-25579) - High [517]

Description: Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, authenticated users can crash the Navidrome server by supplying an excessively large size parameter to /rest/getCoverArt or to a shared-image URL (/share/img/<token>). When processing such requests, the server attempts to create an extremely large resized image, causing uncontrolled memory growth. This triggers the Linux OOM killer, terminates the Navidrome process, and results in a full service outage. If the system has sufficient memory and survives the allocation, Navidrome then writes these extremely large resized images into its cache directory, allowing an attacker to rapidly exhaust server disk space as well. This issue has been patched in version 0.60.0.

altlinux: CVE-2026-25579 was patched at 2026-02-05

43. Memory Corruption - jsonpath (CVE-2025-61140) - High [517]

Description: The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution.

oraclelinux: CVE-2025-61140 was patched at 2026-02-11, 2026-02-12

44. Path Traversal - pip (CVE-2026-1703) - High [509]

Description: When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.

debian: CVE-2026-1703 was patched at 2026-02-18

45. Denial of Service - Pypdf (CVE-2026-24688) - High [505]

Description: pypdf is a free and open-source pure-python PDF library. An attacker who uses an infinite loop vulnerability that is present in versions prior to 6.6.2 can craft a PDF which leads to an infinite loop. This requires accessing the outlines/bookmarks. This has been fixed in pypdf 6.6.2. If projects cannot upgrade yet, consider applying the changes from PR #3610 manually.

debian: CVE-2026-24688 was patched at 2026-02-18

redos: CVE-2026-24688 was patched at 2026-02-16

46. Path Traversal - python-multipart (CVE-2026-24486) - High [505]

Description: Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. Users should upgrade to version 0.0.22 to receive a patch or, as a workaround, avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations.

debian: CVE-2026-24486 was patched at 2026-02-18

ubuntu: CVE-2026-24486 was patched at 2026-02-11

47. Cross Site Scripting - Shaarli (CVE-2026-24476) - High [500]

Description: Shaarli is a personal bookmarking service. Prior to version 0.16.0, crafting a malicious tag which starting with `"` prematurely ends the `<input>` tag on the start page and allows an attacker to add arbitrary html leading to a possible XSS attack. Version 0.16.0 fixes the issue.

debian: CVE-2026-24476 was patched at 2026-02-09, 2026-02-18

48. Cross Site Scripting - navidrome (CVE-2026-25578) - High [500]

Description: Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. This issue has been patched in version 0.60.0.

altlinux: CVE-2026-25578 was patched at 2026-02-05

49. Code Injection - Django (CVE-2026-1207) - High [489]

Description: An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue.

debian: CVE-2026-1207 was patched at 2026-02-18

ubuntu: CVE-2026-1207 was patched at 2026-02-03

50. Cross Site Scripting - Cacti (CVE-2025-45160) - High [488]

Description: A HTML injection vulnerability exists in the file upload functionality of Cacti <= 1.2.29. When a file with an invalid format is uploaded, the application reflects the submitted filename back into an error popup without proper sanitization. As a result, attackers can inject arbitrary HTML elements (e.g., <h1>, <b>, <svg>) into the rendered page. NOTE: Multiple third-parties including the maintainer have stated that they cannot reproduce this issue after 1.2.27.

debian: CVE-2025-45160 was patched at 2026-02-18

51. Server-Side Request Forgery - webpack (CVE-2025-68157) - High [488]

Description: Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a result, an import that appears restricted to a trusted allow-list can be redirected to HTTP(S) URLs outside the allow-list. This is a policy/allow-list bypass that enables build-time SSRF behavior (requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion in build outputs (redirected content is treated as module source and bundled). This issue has been patched in version 5.104.0.

debian: CVE-2025-68157 was patched at 2026-02-18

52. Server-Side Request Forgery - webpack (CVE-2025-68458) - High [488]

Description: Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@host). If allowedUris enforcement relies on a raw string prefix check (e.g., uri.startsWith(allowed)), a URL that looks allow-listed can pass validation while the actual network request is sent to a different authority/host after URL parsing. This is a policy/allow-list bypass that enables build-time SSRF behavior (outbound requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion (the fetched response is treated as module source and bundled). This issue has been patched in version 5.104.1.

debian: CVE-2025-68458 was patched at 2026-02-18

53. Denial of Service - libpng (CVE-2025-28162) - High [482]

Description: Buffer Overflow vulnerability in libpng 1.6.43-1.6.46 allows a local attacker to cause a denial of service via the pngimage with AddressSanitizer (ASan), the program leaks memory in various locations, eventually leading to high memory usage and causing the program to become unresponsive

debian: CVE-2025-28162 was patched at 2026-02-18

ubuntu: CVE-2025-28162 was patched at 2026-02-02

54. Denial of Service - libpng (CVE-2025-28164) - High [482]

Description: Buffer Overflow vulnerability in libpng 1.6.43-1.6.46 allows a local attacker to cause a denial of service via png_create_read_struct() function.

debian: CVE-2025-28164 was patched at 2026-02-18

ubuntu: CVE-2025-28164 was patched at 2026-02-02

55. Remote Code Execution - Libsoup (CVE-2026-1761) - High [480]

Description: A flaw was found in libsoup. This stack-based buffer overflow vulnerability occurs during the parsing of multipart HTTP responses due to an incorrect length calculation. A remote attacker can exploit this by sending a specially crafted multipart HTTP response, which can lead to memory corruption. This issue may result in application crashes or arbitrary code execution in applications that process untrusted server responses, and it does not require authentication or user interaction.

almalinux: CVE-2026-1761 was patched at 2026-02-05, 2026-02-09, 2026-02-10

debian: CVE-2026-1761 was patched at 2026-02-18

oraclelinux: CVE-2026-1761 was patched at 2026-02-05, 2026-02-09, 2026-02-10

56. Denial of Service - html (CVE-2025-58190) - High [470]

Description: The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

debian: CVE-2025-58190 was patched at 2026-02-18

57. Memory Corruption - gnupg (CVE-2026-24882) - High [470]

Description: In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.

almalinux: CVE-2026-24882 was patched at 2026-02-16

debian: CVE-2026-24882 was patched at 2026-02-18

oraclelinux: CVE-2026-24882 was patched at 2026-02-16

58. Incorrect Calculation - Python (CVE-2025-12781) - High [463]

Description: When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues. This behavior can only be insecure if your application uses an alternate base64 alphabet (without "+/"). If your application does not use the "altchars" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet. The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 alphabet they are expecting or verify that their application would not be affected if the b64decode() functions accepted "+" or "/" outside of altchars.

debian: CVE-2025-12781 was patched at 2026-01-24

59. Denial of Service - docopt.cpp (CVE-2025-67125) - High [458]

Description: A signed integer overflow in docopt.cpp v0.6.2 (LeafPattern::match in docopt_private.h) when merging occurrence counters (e.g., default LONG_MAX + first user "-v/--verbose") can cause counter wrap (negative/unbounded semantics) and lead to logic/policy bypass in applications that rely on occurrence-based limits, rate-gating, or safety toggles. In hardened builds (e.g., UBSan or -ftrapv), the overflow may also result in process abort (DoS).

debian: CVE-2025-67125 was patched at 2026-01-24

60. Memory Corruption - micropython (CVE-2026-1998) - High [458]

Description: A flaw has been found in micropython up to 1.27.0. This vulnerability affects the function mp_import_all of the file py/runtime.c. This manipulation causes memory corruption. The attack needs to be launched locally. The exploit has been published and may be used. Patch name: 570744d06c5ba9dba59b4c3f432ca4f0abd396b6. It is suggested to install a patch to address this issue.

debian: CVE-2026-1998 was patched at 2026-02-18

61. Code Injection - GLPI (CVE-2026-22044) - High [425]

Description: GLPI is a free asset and IT management software package. From version 0.85 to before 10.0.23, an authenticated user can perform a SQL injection. This issue has been patched in version 10.0.23.

altlinux: CVE-2026-22044 was patched at 2026-02-04, 2026-02-09, 2026-02-12

62. Authentication Bypass - Moodle (CVE-2025-62399) - High [422]

Description: Moodle’s mobile and web service authentication endpoints did not sufficiently restrict repeated password attempts, making them susceptible to brute-force attacks.

altlinux: CVE-2025-62399 was patched at 2026-02-16

63. Remote Code Execution - PostgreSQL (CVE-2026-2004) - High [421]

Description: Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

altlinux: CVE-2026-2004 was patched at 2026-02-16, 2026-02-17

debian: CVE-2026-2004 was patched at 2026-02-12, 2026-02-18

64. Remote Code Execution - Xrdp (CVE-2025-68670) - High [416]

Description: xrdp is an open source RDP server. xrdp before v0.10.5 contains an unauthenticated stack-based buffer overflow vulnerability. The issue stems from improper bounds checking when processing user domain information during the connection sequence. If exploited, the vulnerability could allow remote attackers to execute arbitrary code on the target system. The vulnerability allows an attacker to overwrite the stack buffer and the return address, which could theoretically be used to redirect the execution flow. The impact of this vulnerability is lessened if a compiler flag has been used to build the xrdp executable with stack canary protection. If this is the case, a second vulnerability would need to be used to leak the stack canary value. Upgrade to version 0.10.5 to receive a patch. Additionally, do not rely on stack canary protection on production systems.

altlinux: CVE-2025-68670 was patched at 2026-02-02, 2026-02-05, 2026-02-12

debian: CVE-2025-68670 was patched at 2026-02-03, 2026-02-07, 2026-02-18

65. Remote Code Execution - Moodle (CVE-2025-67847) - High [414]

Description: A flaw was found in Moodle. An attacker with access to the restore interface could trigger server-side execution of arbitrary code. This is due to insufficient validation of restore input, which leads to unintended interpretation by core restore routines. Successful exploitation could result in a full compromise of the Moodle application.

altlinux: CVE-2025-67847 was patched at 2026-02-16

66. Remote Code Execution - PostgreSQL (CVE-2026-2005) - High [409]

Description: Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

altlinux: CVE-2026-2005 was patched at 2026-02-16, 2026-02-17

debian: CVE-2026-2005 was patched at 2026-02-12, 2026-02-18

67. Remote Code Execution - PostgreSQL (CVE-2026-2006) - High [409]

Description: Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

altlinux: CVE-2026-2006 was patched at 2026-02-16, 2026-02-17

debian: CVE-2026-2006 was patched at 2026-02-12, 2026-02-18

68. XXE Injection - Asterisk (CVE-2026-23739) - High [408]

Description: Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the ast_xml_open() function in xml.c parses XML documents using libxml with unsafe parsing options that enable entity expansion and XInclude processing. Specifically, it invokes xmlReadFile() with the XML_PARSE_NOENT flag and later processes XIncludes via xmlXIncludeProcess().If any untrusted or user-supplied XML file is passed to this function, it can allow an attacker to trigger XML External Entity (XXE) or XInclude-based local file disclosure, potentially exposing sensitive files from the host system. This can also be triggered in other cases in which the user is able to supply input in xml format that triggers the asterisk process to parse it. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.

debian: CVE-2026-23739 was patched at 2026-02-18

69. Remote Code Execution - Juniper JunOS (CVE-2025-62348) - High [407]

Description: Salt's junos execution module contained an unsafe YAML decode/load usage. A specially crafted YAML payload processed by the junos module could lead to unintended code execution under the context of the Salt process.

altlinux: CVE-2025-62348 was patched at 2026-02-09, 2026-02-10

70. Code Injection - ClamAV (CVE-2020-37167) - High [404]

Description: ClamAV ClamBC bytecode interpreter contains a vulnerability in function name processing that allows attackers to manipulate bytecode function names. Attackers can exploit the weak input validation in function name encoding to potentially execute malicious bytecode or cause unexpected behavior in the ClamAV engine.

debian: CVE-2020-37167 was patched at 2026-02-18

71. Remote Code Execution - PHPUnit (CVE-2026-24765) - High [402]

Description: PHPUnit is a testing framework for PHP. A vulnerability has been discovered in versions prior to 12.5.8, 11.5.50, 10.5.62, 9.6.33, and 8.5.52 involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the `cleanupForCoverage()` method, which deserializes code coverage files without validation, potentially allowing remote code execution if malicious `.coverage` files are present prior to the execution of the PHPT test. The vulnerability occurs when a `.coverage` file, which should not exist before test execution, is deserialized without the `allowed_classes` parameter restriction. An attacker with local file write access can place a malicious serialized object with a `__wakeup()` method into the file system, leading to arbitrary code execution during test runs with code coverage instrumentation enabled. This vulnerability requires local file write access to the location where PHPUnit stores or expects code coverage files for PHPT tests. This can occur through CI/CD pipeline attacks, the local development environment, and/or compromised dependencies. Rather than just silently sanitizing the input via `['allowed_classes' => false]`, the maintainer has chosen to make the anomalous state explicit by treating pre-existing `.coverage` files for PHPT tests as an error condition. Starting in versions in versions 12.5.8, 11.5.50, 10.5.62, 9.6.33, when a `.coverage` file is detected for a PHPT test prior to execution, PHPUnit will emit a clear error message identifying the anomalous state. Organizations can reduce the effective risk of this vulnerability through proper CI/CD configuration, including ephemeral runners, code review enforcement, branch protection, artifact isolation, and access control.

debian: CVE-2026-24765 was patched at 2026-02-06, 2026-02-18

Medium (267)

72. Authentication Bypass - Oracle VM VirtualBox (CVE-2026-21955) - Medium [398]

Description: Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

altlinux: CVE-2026-21955 was patched at 2026-02-09

73. Authentication Bypass - Oracle VM VirtualBox (CVE-2026-21956) - Medium [398]

Description: Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

altlinux: CVE-2026-21956 was patched at 2026-02-09

74. Authentication Bypass - Oracle VM VirtualBox (CVE-2026-21983) - Medium [398]

Description: Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).

altlinux: CVE-2026-21983 was patched at 2026-02-09

75. Authentication Bypass - Oracle VM VirtualBox (CVE-2026-21984) - Medium [398]

Description: Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).

altlinux: CVE-2026-21984 was patched at 2026-02-09

76. Denial of Service - Django (CVE-2025-14550) - Medium [394]

Description: An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Jiyong Yang for reporting this issue.

debian: CVE-2025-14550 was patched at 2026-02-18

ubuntu: CVE-2025-14550 was patched at 2026-02-03

77. Denial of Service - Django (CVE-2026-1285) - Medium [394]

Description: An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

debian: CVE-2026-1285 was patched at 2026-02-18

ubuntu: CVE-2026-1285 was patched at 2026-02-03

78. Path Traversal - Rust (CVE-2025-11233) - Medium [394]

Description: Starting from Rust 1.87.0 and before Rust 1.89.0, the tier 3 Cygwin target (`x86_64-pc-cygwin`) didn't correctly handle path separators, causing the standard library's Path API to ignore path components separated by backslashes. Due to this, programs compiled for Cygwin that validate paths could misbehave, potentially allowing path traversal attacks or malicious filesystem operations. Rust 1.89.0 fixes the issue by handling both Win32 and Unix style paths in the standard library for the Cygwin target. While we assess the severity of this vulnerability as "medium", please note that the tier 3 Cygwin compilation target is only available when building it from source: no pre-built binaries are distributed by the Rust project, and it cannot be installed through Rustup. Unless you manually compiled the `x86_64-pc-cygwin` target you are not affected by this vulnerability. Users of the tier 1 MinGW target (`x86_64-pc-windows-gnu`) are also explicitly not affected.

redos: CVE-2025-11233 was patched at 2026-01-29

79. Remote Code Execution - Asterisk (CVE-2026-23740) - Medium [390]

Description: Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, when ast_coredumper writes its gdb init and output files to a directory that is world-writable (for example /tmp), an attacker with write permission(which is all users on a linux system) to that directory can cause root to execute arbitrary commands or overwrite arbitrary files by controlling the gdb init file and output paths. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.

debian: CVE-2026-23740 was patched at 2026-02-18

80. Security Feature Bypass - Chromium (CVE-2026-2316) - Medium [389]

Description: Insufficient policy enforcement in Frames in Google Chrome prior to 145.0.7632.45 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

debian: CVE-2026-2316 was patched at 2026-02-14, 2026-02-18

debian: CVE-2026-23160 was patched at 2026-02-18

debian: CVE-2026-23161 was patched at 2026-02-18

debian: CVE-2026-23163 was patched at 2026-02-18

debian: CVE-2026-23164 was patched at 2026-02-18

debian: CVE-2026-23166 was patched at 2026-02-18

debian: CVE-2026-23167 was patched at 2026-02-18

debian: CVE-2026-23168 was patched at 2026-02-18

debian: CVE-2026-23169 was patched at 2026-02-18

81. Security Feature Bypass - Mozilla Firefox (CVE-2026-24868) - Medium [389]

Description: Mitigation bypass in the Privacy: Anti-Tracking component. This vulnerability affects Firefox < 147.0.2.

altlinux: CVE-2026-24868 was patched at 2026-02-03

82. Authentication Bypass - Oracle VM VirtualBox (CVE-2026-21982) - Medium [386]

Description: Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability allows unauthenticated attacker with access to the physical communication segment attached to the hardware where the Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

altlinux: CVE-2026-21982 was patched at 2026-02-09

83. Authentication Bypass - Oracle VM VirtualBox (CVE-2026-21987) - Medium [386]

Description: Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

altlinux: CVE-2026-21987 was patched at 2026-02-09

84. Authentication Bypass - Oracle VM VirtualBox (CVE-2026-21988) - Medium [386]

Description: Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

altlinux: CVE-2026-21988 was patched at 2026-02-09

85. Authentication Bypass - Oracle VM VirtualBox (CVE-2026-21989) - Medium [386]

Description: Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data as well as unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L).

altlinux: CVE-2026-21989 was patched at 2026-02-09

86. Authentication Bypass - Oracle VM VirtualBox (CVE-2026-21990) - Medium [386]

Description: Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

altlinux: CVE-2026-21990 was patched at 2026-02-09

87. Code Injection - Django (CVE-2026-1287) - Medium [382]

Description: An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.

debian: CVE-2026-1287 was patched at 2026-02-18

ubuntu: CVE-2026-1287 was patched at 2026-02-03

88. Code Injection - Django (CVE-2026-1312) - Medium [382]

Description: An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.

debian: CVE-2026-1312 was patched at 2026-02-18

ubuntu: CVE-2026-1312 was patched at 2026-02-03

89. Remote Code Execution - GIMP (CVE-2025-15059) - Medium [380]

Description: GIMP PSP File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PSP files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28232.